Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

public_key:pkix_path_validation fails validation of certs expiring later than 2050 #6403

Closed
andreasanta opened this issue Oct 30, 2022 · 4 comments · Fixed by #6542
Closed

public_key:pkix_path_validation fails validation of certs expiring later than 2050 #6403

andreasanta opened this issue Oct 30, 2022 · 4 comments · Fixed by #6542
Assignees
@kikofernandez
Labels
bug Issue is reported as a bug enhancement team:PS Assigned to OTP team PS

Comments

@andreasanta
Copy link
Contributor

andreasanta commented Oct 30, 2022
edited
Loading

Describe the bug
When a certificate contains a notAfter attribute with utcTime and 69 as year, the current implementation interprets 69 as 1969 and thus fails validation.

To Reproduce

public_key:pkix_path_validation(
   base64:decode(
<<"MIIB8jCCAXmgAwIBAgIQJK7xvc/d7ftI/3ItJKDnATAKBggqhkjOPQQDAjA5MQwwCgYDVQQMDANURUUxKTAnBgNVBAUTIDMwMGNmYWMwYWZjNzVlYjM1OTU5YWYwOTRlYzg3ZTkzMB4XDTIxMDExMzIwNTUzN1oXDTMxMDExMTIwNTUzN1owOTEMMAoGA1UEDAwDVEVFMSkwJwYDVQQFEyBhYzkyMDUxMmE0OGJjYmI4MmExMzJiODI0MGMzMGY3ZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABACWY0wWoGe6ZEhNH44bU3wdDzyzgpQYcI63vQQNZJQA77SNW/RLPpZY0/v9si0x0Fj3jVTI7T4vXmTHWHz5S2+jYzBhMB0GA1UdDgQWBBT8S00goQucA/MSK8z/otKDRGLXLTAfBgNVHSMEGDAWgBSF5719t7pZSOmQAu5T/SYhsaYRozAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAKBggqhkjOPQQDAgNnADBkAjB41XYKh9vPV0+TGReEdazolyVtHGLxbn4nCpCEnhQ5KFaqpmfLZu78SdLH4YCwET0CMCxqkX2WJ7nq9OQ+EUB1Tm/rOQxU+Ncc9m1bO3ljHTEVrn3SPdhm7QOpaEg+zgRznA==">>),
   [base64:decode(
<<"MIICijCCAjCgAwIBAgIBATAKBggqhkjOPQQDAjA5MQwwCgYDVQQMDANURUUxKTAnBgNVBAUTIGFjOTIwNTEyYTQ4YmNiYjgyYTEzMmI4MjQwYzMwZjdmMB4XDTcwMDEwMTAwMDAwMFoXDTY5MTIzMTIzNTk1OVowHzEdMBsGA1UEAwwUQW5kcm9pZCBLZXlzdG9yZSBLZXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQpU+wq5kskHQlVw9G99ZaBc5W10UBSHaPsZUKqv0bFeEgxoTedp4UwQnYQF8UBTHHTX1Jrj67SPS9/aZGN4/bUo4IBQTCCAT0wDgYDVR0PAQH/BAQDAgeAMIIBKQYKKwYBBAHWeQIBEQSCARkwggEVAgEDCgEBAgEECgEBBCAOvA1gDJ7gK+NmuvB1bnnmVXF5tkah8Kst9H5V2QElLAQAMFC/hT0IAgYBhBBomCi/hUVABD4wPDEWMBQEDGNvbS53aGF0c2FwcAIEDUA2RDEiBCA5h9BD0Qrvr1qHELNnFBj+V+Dhm2U8nfglWP61/85dRDCBkKEFMQMCAQKiAwIBA6MEAgIBAKUIMQYCAQQCAQaqAwIBAb+DdwIFAL+FPgMCAQC/hUBMMEoEIL6unE424R3wU24e9wDk/sO7HAzEtYDyKx6J0Kb0B1GwAQH/CgEABCBX83onOiYL+Ly+AYx+cJR2jBI6wHIWgSyVMrhl6EH4Yr+FQQUCAwGtsL+FQgUCAwMV3zAKBggqhkjOPQQDAgNIADBFAiEAwH0/6EKJ+yySQInM6OyzOGEuLDUbifJe7n41VSG55sACID7UxW08BNmH8Fr2f7rhcgczI+mcdYIMTUQlVMoHxw2Y">>
   )], 
   []
).

Will yield
{error,{bad_cert,cert_expired}}

Expected behavior
Certificate validation should succeed, and the 69 component of the certificate attribute notAfter should be interpreted as 2069 instead of 1969.

Affected versions
Erlang/OTP 25 [erts-13.0.2]

Additional context
This is due to the implementation of validate_time inside public_key.erl. The implementation uses the simple method instead of the rolling window method reported in https://www.oss.com/asn1/resources/books-whitepapers-pubs/larmouth-asn1-book.pdf
(page 91).
@andreasanta andreasanta added the bug Issue is reported as a bug label Oct 30, 2022
@andreasanta andreasanta changed the title public_key:pkix_path_validation fails validation of certs expiring in 2069 public_key:pkix_path_validation fails validation of certs expiring later than 2050 Oct 30, 2022
@rickard-green rickard-green added the team:PS Assigned to OTP team PS label Oct 31, 2022
@IngelaAndin
Copy link
Contributor

I agree that we should change the implementation to use rolling window method.

@IngelaAndin
Copy link
Contributor

Although the sliding window expects that you have no older certs than 50 years back, this seems not to be working out for your example.

validity =
#'Validity'{
notBefore = {utcTime,"700101000000Z"},
notAfter = {utcTime,"691231235959Z"}}.

So we get NotBefore: 2070, NotAfter: 2069. But I guess you wanted NotBefore: 1970, NotAfter:2069.

@IngelaAndin
Copy link
Contributor

The best of course is to make new certs adhere to the new date-format so that we do not have to guess!

@kikofernandez kikofernandez self-assigned this Dec 6, 2022
@kikofernandez kikofernandez mentioned this issue Dec 9, 2022
Merged
kikofernandez added a commit that referenced this issue Dec 27, 2022
@kikofernandez
Merge pull request #6542 from kikofernandez/kiko/public_key/certifica…
03ab141 
…te-validation/GH-6403/OTP-18356

Improve `public_key:pkix_path_validation` to allow certificates that expire after 2050 
OTP-18356
@kikofernandez
Copy link
Contributor

Closed by PR #6542

kikofernandez added a commit that referenced this issue Jan 12, 2023
@kikofernandez
Merge pull request #6647 from kikofernandez/kiko/public_key/certifica…
cc646b6 
…te-validation/GH-6403/OTP-18356

public_key: fix pre2000 test with change of year 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kikofernandez kikofernandez

Labels
bug Issue is reported as a bug enhancement team:PS Assigned to OTP team PS
Projects
None yet
Milestone
No milestone
4 participants
@rickard-green @IngelaAndin @kikofernandez @andreasanta